CVE-2026-41899 Overview
Coolify is an open-source, self-hostable platform for managing servers, applications, and databases. CVE-2026-41899 affects the POST /api/feedback endpoint in versions prior to 4.0.0-beta.474. The endpoint lacks authentication, rate limiting, and input validation. Attackers can forward arbitrary content directly to the configured Discord webhook, enabling spam, content injection, and webhook abuse. The issue is fixed in version 4.0.0-beta.474. The weakness is categorized as Missing Authentication for Critical Function [CWE-306].
Critical Impact
Any unauthenticated remote attacker can abuse the feedback API to relay arbitrary messages through the operator's Discord webhook, creating opportunities for spam floods, phishing content injection, and reputational damage to the Coolify instance owner.
Affected Products
- Coolify versions prior to 4.0.0-beta.474
- Deployments with the feedback_discord_webhook constant configured
- Self-hosted Coolify instances exposing the /api/feedback route to untrusted networks
Discovery Timeline
- 2026-07-06 - CVE-2026-41899 published to NVD
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-41899
Vulnerability Analysis
The vulnerability resides in the feedback method of app/Http/Controllers/Api/OtherController.php. The controller reads the content field from the incoming request and forwards it directly to a Discord webhook using Http::post(). No authentication middleware guards the route, no throttle is applied, and no validation constrains the payload length or type. An attacker sending high-volume POST requests can flood the operator's Discord channel with arbitrary messages. Because the content is passed through unchanged, attackers can also inject Discord mentions such as @everyone or @here to amplify disruption, or embed phishing links that appear to originate from the trusted operator channel.
Root Cause
The root cause is missing authentication and missing input validation on a server-side webhook relay. The controller trusts unauthenticated user input and treats it as safe outbound content. Without rate limiting, a single attacker can send unlimited requests, exhausting Discord webhook quotas and generating noise that hides legitimate feedback.
Attack Vector
Exploitation requires only network access to the Coolify API. An attacker sends repeated HTTP POST requests to /api/feedback with attacker-controlled content. Each request is proxied to the configured Discord webhook, delivering the attacker's payload to the operator's channel.
// Security patch in app/Http/Controllers/Api/OtherController.php
// refactor(api): validate and throttle feedback endpoint (#9653)
public function feedback(Request $request)
{
- $content = $request->input('content');
+ $data = $request->validate([
+ 'content' => ['required', 'string', 'min:10', 'max:2000'],
+ ]);
+
$webhook_url = config('constants.webhooks.feedback_discord_webhook');
if ($webhook_url) {
- Http::post($webhook_url, [
- 'content' => $content,
+ Http::timeout(5)->post($webhook_url, [
+ 'content' => $data['content'],
+ 'allowed_mentions' => ['parse' => []],
]);
}
}
// Source: https://github.com/coollabsio/coolify/commit/371e883c75a87d82c398bf89ee8ad6387348520d
The patch adds strict validation on content length, enforces a request timeout, and disables Discord mention parsing by setting allowed_mentions to an empty parse list. A companion change in app/Livewire/Help.php caps the subject field length to prevent oversized submissions from the UI path.
Detection Methods for CVE-2026-41899
Indicators of Compromise
- Bursts of unauthenticated POST requests to /api/feedback from a single or small set of source IP addresses
- Discord channel messages containing @everyone, @here, or suspicious external URLs delivered through the Coolify feedback webhook
- Unusually large or repeated identical content payloads in Coolify web server access logs
Detection Strategies
- Parse web server or reverse proxy logs for requests to /api/feedback and alert when request rate exceeds a baseline threshold per source IP.
- Monitor Discord webhook delivery logs for message volume anomalies tied to the feedback channel.
- Correlate application logs with outbound HTTP calls to discord.com/api/webhooks/* to detect proxied abuse.
Monitoring Recommendations
- Enable structured logging of all /api/feedback requests including source IP, User-Agent, and payload length.
- Configure alerts on Discord webhook rate-limit responses (HTTP 429) originating from the Coolify host.
- Track versions of deployed Coolify instances to confirm they are running 4.0.0-beta.474 or later.
How to Mitigate CVE-2026-41899
Immediate Actions Required
- Upgrade Coolify to version 4.0.0-beta.474 or later, which validates and throttles the feedback endpoint.
- If upgrade is not immediately possible, rotate the Discord webhook URL configured in feedback_discord_webhook to invalidate any URL already known to attackers.
- Restrict network access to the Coolify API using a reverse proxy allowlist or firewall rules while patching is scheduled.
Patch Information
The fix is delivered in Coolify 4.0.0-beta.474 through pull request coollabsio/coolify#9653 and commit 371e883c. Details are documented in the GitHub Security Advisory GHSA-v64c-v633-58xp. The patch enforces a content length between 10 and 2000 characters, applies a 5-second HTTP timeout, and disables Discord mention parsing.
Workarounds
- Temporarily unset feedback_discord_webhook in the Coolify configuration to disable the relay entirely until the upgrade is applied.
- Apply reverse proxy rate limiting on the /api/feedback route, for example with Nginx limit_req or Traefik middleware.
- Block or challenge unauthenticated POST requests to /api/feedback at the web application firewall.
# Nginx rate-limit example for the vulnerable route
limit_req_zone $binary_remote_addr zone=feedback:10m rate=5r/m;
location /api/feedback {
limit_req zone=feedback burst=5 nodelay;
limit_req_status 429;
proxy_pass http://coolify_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

